Much of cybersecurity policy and practice is dedicated to protecting against external threats and attacks that put networks, data, and devices at risk. Malicious incidents of hacking, phishing, and the like from the outside are certainly a formidable force to be reckoned with, and detecting and preventing them should be a priority, but that doesn’t mean that they’re the only issue to be concerned about. Threats can also come from inside an organization, and the dangers of these cases are often insidious, posing risks beyond what might be immediately obvious.
What is an Insider Threat?
The United States Cybersecurity and Infrastructure Security Agency (CISA) defines an insider as “any person who has or had authorized access to or knowledge of an organization’s resources.” An insider threat is exactly what you might guess from the name: the potential for someone to use their access or knowledge against the organization. The definition is broad and includes many different types of risks. Insider threats can be purposeful and malicious or accidental mistakes on the part of a legitimate insider or the result of an outsider using stolen credentials to gain access to an organization.
Insider threats can be particularly harmful to an enterprise. Authorizing access to networks, systems, and facilities opens many doors for external actors to break down or sneak through to cause harm. Organizations without proper security measures could be allowing insiders entry into sensitive areas without ensuring access is necessary. This creates an opportunity for employees, contractors, and other insiders to harm the organization, whether intentionally or unintentionally. According to a report from the Ponemon Institute, most insider threats (56%) are due to employee or contractor negligence.
The Costs of an Insider Threat
While nefarious insiders can and do, employ methods that directly correlate to monetary loss, the costs of insider threats run much deeper than that. Incidents due to negligence or accident are less costly per incident than malicious attacks from within but still contribute significantly to the total financial burden left in the wake of a security event. Occurring approximately twice as frequently as criminal insiders and credential thieves, the mistakes made by an insider who doesn’t know any better can cost an organization millions of dollars. The Ponemon report cites the total cost of insider threats in 2022 at 15 million USD, up from about 11 million in 2020.
Reckoning the true cost of an insider threat incident is difficult, as many factors converge to make up the total cost. Some insider threat actors are purely after money. In contrast, others are focused on espionage or sabotage, but regardless, the consequences of these attacks are more significant than money being stolen or extorted. There are disruption costs caused by system downtime, costs associated with replacing or updating technology, and the labor it takes to get things back to running smoothly. Every step of the process and every cog in the machine comes with a price, so even if an organization responds to an insider threat quickly and efficiently, the loss is significant.
Protecting Against Insider Threats
Because employee or contractor negligence makes up the largest proportion of insider threats, both by the number of incidents and by total cost, one of the most important steps in preventing these incidents is ensuring that users are trained in cybersecurity basics and network functions. Establishing security policies and educating network users on the rules, reasons, and consequences can go a long way toward preventing major losses. Employing the principle of least privilege is also a significant factor. If users are not allowed to access sensitive areas unless necessary for their function, then the chances of that access leading to an incident are minimized.
Concerning those incidents that are due to malicious action on the part of an insider or credential thief, there are tools for prevention and detection. While it may mitigate (though not eliminate) the costs of an incident, detecting an insider threat after it becomes a problem is largely unhelpful, as detection software often returns “so many false positives that the real threats go uninvestigated.” This is why prevention is essential when attempting to protect against the many risks of insider threats. A variety of products available can detect risks from insiders before they cause any damage, including features like user coaching messages in real-time and blocking to stop actions that may cause harm.
When considering the risks faced by an enterprise, insider threats may not be immediately obvious. Awareness of the potential dangers of an insider threat is crucial for anyone hoping to build a solid security policy to protect their organization. By training employees, enacting protective policies, and employing tools created to detect suspicious and potentially dangerous activity, an organization can avoid many possible security incidents. Preparation and prevention are worth the world. Waiting until an event occurs to implement these measures may cost a great deal.